Business Continuity Management

Transcription

1 Business Continuity Management Patrick Woodman March 2007 In association with

2 Foreword As the Director of the Civil Contingencies Secretariat (CCS), I am pleased to support this report on the Chartered Management Institute s 2007 Business Continuity Management survey. This research was co-sponsored by CCS. The report reveals a situation which, while having a number of identifiable trends towards improved business continuity planning, is also one where there is still much work to be done. There are still too many organisations that have no business continuity plan, or have one that is unknown to staff or is not subjected to exercise and review. The report looks to address this side of the picture in a series of key recommendations, which make the case for robust, comprehensive and effectively communicated business continuity arrangements for organisations of all kinds. From the Carlisle floods to the London bombings and the Buncefield explosion, recent incidents have shown clearly the vast range of impacts that emergencies can have on organisations across all sectors, affecting profits and operations. This is bad for employees, shareholders, customers and communities. If followed, the recommendations of this report will greatly strengthen the ability of an organisation to manage the impacts of emergencies. This will be good news for businesses and for national resilience as a whole. Bruce Mann, Director of Civil Contingencies Secretariat, Cabinet Office Executive Summary Seventy three per cent of managers report that Business Continuity Management is important in their organisation, and 94 per cent of those who had invoked their plans agreed that they had reduced disruption. Despite the perceived importance and range of disruptions reported, eight years on since this survey began, over half of the 1257 managers surveyed in 2007 work in organisations where there is no specific Business Continuity Plan (BCP) in place. Around one in three organisations reported experiencing disruptions due to loss of IT (39 per cent) and loss of people (32 per cent) over the past year; and those affected by extreme weather conditions had risen over the past year from 9 to 28 per cent. There are signs that businesses have improved aspects of their planning: 55 per cent have plans for a possible influenza pandemic. These plans incorporate higher levels of staff absenteeism than in 2006, but organisations remain unclear about the likely duration of such absences and many are not considering the impact of additional parent-worker absences. 1 Only half of organisations with plans carry out regular and thorough rehearsals, despite strong evidence that rehearsals are vital to ensure the effectiveness of planning. 80 per cent of those who had rehearsed their plans reported shortcomings that needed to be addressed.

3 Although 81 per cent of managers report that their organisation could support remote working to some extent, if the IT/telecommunications infrastructure has not been put in place and tested such reported resilience may not be a reality. Corporate governance is identified as a key driver by 80 per cent of managers working in listed companies. There is also evidence that planning is been driven through the supply chain, through the requirements of public sector procurement contracts and by customers demanding evidence of BCPs from their business-critical suppliers. Government continues to play a major role in driving BCM through the public sector and beyond. The Civil Contingencies Act appears to already have had some impact, and this trend is likely to continue since its provisions came into full effect in May Background What is Business Continuity Management? Business Continuity Management (BCM) is based on the principle that it is the key responsibility of an organisation s directors to ensure the continuation of its business operations at all times. It may be defined as: A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. * Business Continuity Management is an established part of the UK s preparations for the possible threats posed to organisations, whether from internal systems failures or external emergencies such as extreme weather, terrorism, or infectious disease. The Civil Contingencies Act 2004 recognised its importance by requiring frontline responders to maintain internal BCM arrangements and, since May 2006, local authorities have been required to promote BCM to business and voluntary organisations in their communities. The survey This report presents the findings of research conducted in January 2007 by the Chartered Management Institute in conjunction with the Civil Contingencies Secretariat in the Cabinet Office and Continuity Forum. It is the eighth survey that the Institute has undertaken on BCM since A total sample of 10,600 individual Institute members was surveyed and 1257 responses were received; please see Appendix B p.17 for details. * BS British Standards Institution s Code of Practice for Business Continuity Management 2

4 1. Understanding risks and potential disruption 1.1 Events causing disruption in the past year The Chartered Management Institute s research into BCM addresses a wide range of threats faced by managers across the UK. It tracks managers perceptions of threats as well as their actual experiences of disruption. Loss of IT is the most frequent disruption, as in previous years. Loss of people also continues to be a major cause of disruption. This year s results indicate a sharp rise in disruptions due to extreme weather incidents up from 9 per cent in 2006 to 28 per cent, as indicated in Table 1 below. The right-hand column indicates how many organisations were able to use their Business Continuity Plans in response to such disruptions. See also Table 2 for the disruptions covered by BCPs and Section 4, which sets out the overall extent of continuity planning across organisations. 3 Table 1: Disruptions experienced in the previous year, The impact of specific incidents Base: 1257 respondents (2007) Reporting on specific incidents during the last two years, managers highlighted the impact of extreme weather, with more than 50 per cent identifying some disruption to their organisation as a result was one of the warmest years on record, with low rainfall and a heatwave experienced in June and July causing a hosepipe and sprinkler bans and drought orders in the South-East. Some organisations were forced to shut down computers due to the heat, or close offices due to high temperatures. Severe storms at the end of November also caused widespread disruption. The survey shows that the area worst affected by extreme weather was Wales, where one in five reported significant disruption (21 per cent), closely followed by Scotland and the South-East of England (18 per cent each) BCP invoked Loss of IT Loss of people Extreme weather e.g. flood/high winds Loss of telecommunications Utility outage e.g. electricity, gas, water, sewage Loss of key skills Negative publicity/ coverage Employee health and safety incident Supply chain disruption Loss of access to site Damage to corporate image/reputation/brand Pressure group protest Industrial action Environmental incident Customer health/product safety issue/incident Fire Terrorist damage

5 Extreme weather events London bombings Extreme weather events in July 05 Terrorist London threat bombings to flights in July August Buncefield Terrorist oil threat explosion to December flights August No impact Negligible effect Minor No impact disruption Significant Negligible disruption effect Minor disruption Significant disruption Chart 1: Disruption caused by specific incidents Buncefield oil explosion 0 December Disruptions: perception of threats As in previous years, loss of IT and telecommunications were the most commonly perceived threats, reflecting the frequency of their occurrence (Table 2, below). The right-hand column indicates how many organisations are addressing each threat in their BCPs, and it again shows the dominance of traditional BCM concerns such as IT, telecommunications, access to site and fire. Many managers recognise that loss of people or skills would have a major impact on their organisation, but smaller numbers are including these considerations in their BCPs. Base: 1257 respondents (2007) BCP covers Loss of IT Loss of telecommunications Loss of (access to) site Loss of key skills Loss of people Utility outage e.g. electricity, gas, water, sewage Fire Damage to corporate image/ brand/reputation Terrorist damage Negative publicity/coverage Flood/high winds Employee health and safety incident Supply chain disruption Customer health/product safety Environmental incident Industrial action Pressure group protest Table 2: Perceptions of major threats to costs and revenues,

6 2. Potential impact of a human influenza pandemic 2.1 Extent and robustness of influenza planning In the context of the continuing threat of a human influenza pandemic, managers were asked if their organisation has plans in place to ensure that it could continue to function in the event of a pandemic, and if so, how they assessed the plan s likely effectiveness. Nineteen per cent believed their organisation s plan would be robust or very robust, but 43 per cent reported that they have no plans No reply No plans 43 Weak Moderate Chart 2: Perceived effectiveness of plans for an influenza outbreak, Robust Very robust 2.2 Anticipated absence levels Managers who did report having plans for an influenza pandemic also appear to be planning for higher rates of absenteeism than previously. The new national framework for responding to an influenza pandemic, which the Department of Health and Cabinet Office will be consulting on shortly, advises that as a prudent basis for planning, organisations employing large numbers of people should ensure that their plans are capable of handling staff absence rates building up to a peak of 20 per cent lasting 2-3 weeks (in addition to usual absenteeism levels). Small businesses, or larger organisations with small critical teams, should plan for levels of absence building up to per cent at the 2-3 week peak, or perhaps higher for very small businesses with only a handful of employees. The survey s findings, shown in Chart 3 below, compare well to this guidance Chart 3: Additional absenteeism levels anticipated in influenza plans 0 Up to Over 40 5

7 The survey also asked how long organisations plan possible pandemic-related absences to last. As indicated below, a majority are planning for disruption of at least two weeks. Table 3: Anticipated length of employee absenteeism Base: 537 respondents weeks weeks weeks 28 More than 4 weeks Additional absence due to school closures/care of dependents An additional factor that organisations must consider when planning for an influenza outbreak is the impact of increased parent-worker absences resulting from possible school and childcare closures during a pandemic, beyond the direct impact of the illness. The survey looked at the likely impact of such additional absences on organisations as shown in Chart 4 below No reply No reply No or negligible levels of disruption No or negligible levels of disruption Moderate levels of disruption Moderate levels of disruption High levels of disruption High levels of disruption Organisation could not function Organisation could not function Chart 4: Impact of additional parent-worker absences

8 3. Building resilience: alternative offices and remote working 3.1 Alternative workplaces A new question asked respondents if their organisation had access to an alternative office or work site in the event of a major disruption. Overall, almost two thirds (64 per cent) said that they did. Managers in large organisations were most likely to have alternative work sites (74 per cent), although over half of respondents in small or medium-sized organisations (55 per cent) also reported having access to alternative sites. 3.2 Remote working Providing the ability to work remotely can be a useful part of BCM preparations for many organisations. Many employees may be unable or unwilling to travel to the office in the event of a major disruption. Just over half of managers report that their organisation could support remote working to a great extent. There were only limited differences between different sizes of organisation in this respect, although large firms appear to be better prepared. Table 4: Preparedness for remote working in the event of a major disruption Base: 1257 respondents 2007 To a great extent 53 To a small extent 28 Not possible due to nature of the organisation s work 12 Our IT systems do not support remote working 5 No reply 2 While these results are encouraging, organisations must be sure that they have the capacity to make this a reality. Expanding IT and communications capacity to enable large numbers of employees to work remotely may be impossible in the middle of a major disruption; suppliers, for instance, may be unable to meet expectations due to high demand or disruption to their operations. Systems should be in place and fully tested before disruption occurs. 4. Extent of Business Continuity Management 4.1 Levels of Business Continuity Planning Seventy three per cent of managers report that Business Continuity Management is regarded as important or very important by senior management in their organisation. However, the number whose organisations have a specific BCP covering their critical business activities is much lower, at 48 per cent, and has been broadly constant since Chart 5: of managers whose organisation has a BCP,

9 The survey data indicates differences between different types and sizes of organisation. BCPs are more common in large organisations with BCP s 20 Chart 6: of organisations with BCPs by size 1 0 Small organisations Medium organisations Large organisations Looking at different types of organisations, BCPs are most prevalent in the public sector, which may be due to the obligation on many public sector organisations to have BCPs under the Civil Contingencies Act. Listed companies follow while private companies and the voluntary/not-for-profit sector, demonstrate lower levels of take-up with BCP s Chart 7: of organisations with BCPs by organisation type 0 0 Small Public organisations sector Medium Listed organisations companies Large Private organisations companies Voluntary/ not-for-profit The use of BCPs also varies widely between particular industry sectors. Some 80 per cent of managers working in finance and insurance report that their organisations have BCPs; the utilities sector (electricity, gas and water) are second highest at 76 per cent. Construction and education are the lowest-ranking sectors (see also Table 8, p.15). 4.2 External drivers of BCM The finding that BCM is more common in the public sector and in listed companies is consistent with the survey s findings on the drivers behind the adoption of BCM by different organisations. Corporate governance was again the most commonly identified driver of BCM: it is cited by twice as many managers as five years ago. Customer demand remains the second most common driver and is particularly important for private limited companies. Corporate governance is particularly important in certain types of organisations. In particular, it is identified as a key driver by 80 per cent of those managers working in PLCs that have a specific BCP. This may reflect the recent emergence of narrative 1 Based on standard definitions of organisation sizes: Small = under 50 employees (chart excludes sole traders) Medium = employees Large = over 250 employees 8

10 reporting under the Business Review, which requires directors of listed companies to provide a description of the principal risks and uncertainties facing the company. However, corporate governance is also the lead driver of BCM in voluntary and notfor-profit organisations, identified by 71 per cent. The importance of central government has increased substantially in recent years, from just 14 per cent in 2004 to 27 per cent in It is a particularly important driver for the adoption of BCM in the public sector, cited as a key driver by 72 per cent of all public sector managers. Public sector procurement requirements are also having some impact on the private sector, cited by 10 per cent of all managers in private sector companies. 5. Effectiveness of Business Continuity Management 5.1 How far does BCM reduce disruption? Managers in organisations that had invoked their BCPs in response to an incident in the previous year were asked how far they agreed that the BCP had effectively reduced the disruption. A total of 94 per cent agreed or strongly agreed that it had. 5.2 Rehearsal and invocation of BCPs Half of managers whose organisations have BCPs report that they rehearse their plans once or more per year. This has changed little over the eight years of the survey. Over a third reported that they do not rehearse their BCPs at all. There is a danger that many of these plans will not work when most needed. Customers, who are the second biggest driver for BCM, are failing to demand evidence of plan rehearsals. Such evidence would provide a clear indication that BCM is taken seriously by their supplier Every three Every months three months Once a Once 42 year a year Bi-annually Bi-annually Not at Not all at all Chart 8: Frequency of rehearsal of BCPs Eighty per cent of those who had rehearsed their plans said that the rehearsals had revealed shortcomings in their BCP. Of these, 85 per cent said they had taken action to address the shortcomings, although a substantial minority 15 per cent had not. 9

11 Lessons from experience Additional comments from survey respondents highlight the importance of ensuring that BCPs are kept up to date. One respondent commented: Things change! A static plan can evoke areas that no longer exist or have changed with unexpected results. Review the BCP more regularly than every 12 months. Another respondent, for whom loss of IT had caused major problems in serving customers for 48 hours, agreed that use of BCM had reduced the impact but emphasised the need to review and rehearse a BCP regularly: The time taken to recover to a position where we could operate adequately was much shorter than it otherwise would have been - but plans need to be checked regularly as the business does not stand still and some aspects of the plan were no longer valid. Others admitted to failures. One respondent in the health and social care sector commented: Plans [were] not communicated widely enough and not readily accessible to appropriate employees 24 hours per day. 5.3 BCM training As in previous years, BCM-related training activity remains limited. Even among those who have a BCP, just 30 per cent include training on the organisation s BCM arrangements in the induction process for all new employees. Fifty five per cent provide training for relevant staff. With staff turnover at 18.3 per cent annually in the UK in 2006 [CIPD, 2006] there is a clear need for increased levels of training to support effective BCM and build resilience against disruption. 6. Managing Business Continuity 6.1 Who takes responsibility for BCM? Senior management tiers are most likely to hold responsibility for BCM in those organisations which have BCPs, with responsibility for leading BCM resting with senior management or the board in 70 per cent of cases. The results also appear to confirm the increased prevalence of dedicated BCM teams since 2005, as indicated in Table 5 below. Table 5: Responsibility for leading BCM, Base: 693 respondents (2007) Senior management Board BCM team Operational staff Operational risk department Don t know

12 6.2 Internal stakeholders in BCM Table 6: Functions involved in creating the BCP Reflecting the continued focus of many organisations upon risks associated with IT in their BCPs, IT teams are more likely than any other functions to be involved in the development of the BCP. Base: 693 respondents 2007 IT 65 Facilities management 57 Human resources 56 Risk management 53 Finance 52 Security 45 Public relations 32 Purchasing/procurement 29 Marketing 19 Sales 17 Outsourcing 16 None of the above 3 Other Control of BCM budgets As in 2005 and 2006, managing directors are most likely to hold the budget for BCM. However, a new response category in this question suggests that in some organisations a dedicated BCM manager with budgetary powers is leading the agenda although these remain a minority of organisations. Notably, 23 per cent of respondents who have a BCP indicate that there is no budget to back it up. Table 7: Who controls BCM budgets Base: 604 respondents (2007) Managing director Financial director BCM manager Facilities manager IT director Risk manager Human resources director No budget for BCM Other Evaluating BCM Capability The survey asked how organisations evaluate their BCM capability. As shown in Chart 9, guidelines are most used, while legislation is also a strong driver, perhaps reflecting the impact of the Civil Contingencies Act. 11

13 Guidelines Chart 9: Use of methods for evaluating BCM capability Legislation Guidelines Regulations Legislation Other Regulations standards BSI/ISO Other standards BS25999/PAS56 BSI/ISO ITIL BS25999/PAS56 ITIL 6.5 The new British Standard on BCM: BS25999 Despite only being launched in 2006, awareness of the BSI s new full standard for BCM, BS25999, is high, at 32 per cent among respondents who have a BCP or 22 per cent among all respondents. Of those who have a BCP and are aware of the new standard, 38 per cent plan to use it for guidance, 15 per cent plan to achieve third party certification while another 15 per cent plan to achieve compliance without certification. Six per cent will use it to ask for compliance from suppliers. 6.6 BCM and the supply chain A majority of respondents (61 per cent) report that their organisations outsource some of their facilities or services. The questionnaire asked respondents if their organisation required its suppliers or outsource partners to have BCPs. The use of BCM down the supply chain remains limited as indicated in Chart 10 below Chart 10: of organisations requiring suppliers or outsource partners to have BCM Base: 765 respondents Base: 765 respondents Business-critical suppliers only Outsource partners All suppliers Intends to to None Don t know In addition, the survey asked how those who require outsource partners or suppliers to have BCPs verify the plans. Almost half (48 per cent) accept a statement from the supplier/partner in question. Around a third (34 per cent) take the more active step of examining the supplier/partner s BCP, while 17 per cent are involved in the development of the BCP. At present, just 5 per cent assess their suppliers or partners plans against BS25999/PAS56. 12

14 7. Recommendations The Chartered Management Institute, the Continuity Forum and the Cabinet Office recommend that all organisations have a robust and proportionate approach to Business Continuity Management. Organisations which currently have BCPs should seek to enhance their effectiveness through regular, thorough and comprehensive rehearsals - and by integrating lessons learned into revised BCPs. Organisations BCPs should address not only technological or physical requirements, but also people and skills needs. For many organisations there remains a pressing need to address these aspects of BCM. Organisations should ensure that their BCPs are effectively communicated. All managers and employees should be aware of their duties in the event of an incident. In addition, some organisations will find it useful to communicate their BCM arrangements to suppliers or customers. Companies should demonstrate their commitment to BCM to key stakeholders. The Business Review offers companies an opportunity to demonstrate to their shareholders and wider stakeholders their commitment in this area. We recommend that organisations conduct assessment and benchmarking of their BCPs. British Standard offers a basis for this. BCM should be used more extensively throughout supply networks in the UK, in particular with essential suppliers and outsourced providers. Plans should be verified and audited where possible. It is also essential to check whether suppliers have rehearsed their plans. All organisations should consider the possible implications of an influenza pandemic and the impact of additional absenteeism levels over a sustained period, in line with Government guidance. 13

15 8. Further Information Managers should stay informed of the latest information on potential threats and on good BCM more generally. Useful sources of information include: The Cabinet Office s Preparing for Emergencies website provides up to date information for businesses, voluntary organisations and the public. It includes advice on the business case for BCM and help on implementing it, as well as case studies and links to regional and local sources of information. See For the most up to date guidance on planning for an influenza pandemic, please check the Department of Health website, or the Preparing for Emergencies website. The Cabinet Office s UK Resilience website is a resource for civil protection practitioners, such as local authority emergency planners and business continuity managers. It offers a range of advice on emergency preparedness and response. See Local authorities are required by the Civil Contingencies Act to offer general advice and assistance on BCM to businesses and voluntary organisations. The Security Services provide information on covert threats and offer security advice to business and other organisations - including those organisations that are part of the Critical National Infrastructure, crucial for the delivery of essential services to the UK. See for more information. The Continuity Forum is the leading resource for BCM professionals and offers a range of events, workshops and support services. Information about how to implement BCM can also be found at The British Standards Institute s full standard on BCM, :2006, can be purchased and downloaded from their website. See for more information. 9. Acknowledgements This report has been prepared by Patrick Woodman of the Chartered Management Institute. The Chartered Management Institute wishes to acknowledge the support and advice provided by the Civil Contingencies Secretariat at the Cabinet Office. Lisa Zammit, Dr Andy Fraser and Tony Part made particularly valuable contributions. The Institute would also like to thank John Sharp of the Continuity Forum for his support and advice. The work of Petra Wilton and Mike Petrook of the Institute is also gratefully acknowledged. Finally, the author and research partners would like to thank all the Chartered Management Institute members who took time to respond to the survey. 14

16 Appendix A: Key Messages by Sector Table 8, below, outlines key messages for a range of specific sectors. It highlights the percentage in each sector that have a BCP; the most common drivers of BCM for the sector; the percentage of respondents that had not received any external requests for information on their BCM, an indicator of how BCM is being driven; and key messages for organisations in each sector. Sector with BCP Principal drivers Comments not asked for BCM info Message Business Services 45 Insurers, Customers, Corporate Governance. Insurers are keen to reduce business interruption risks 62 BCM ensures customer service is improved and maintained during disruptions. Communicate with customers to advise what actions are being taken at the time of a disruption to ensure customers stay loyal. Ensure key suppliers have BCM arrangements in place. Inform insurers of BCM arrangements to reduce business interruption risk. Central Government 65 Corporate Governance Whilst not covered by legislation it is recognised that the continuity of government departments and agencies is critical 21 BCM ensures that the critical activities of central government bodies can be maintained at the time of a disruption. Revenue collection and benefits distribution are critical in maintaining the UK economy and social stability. As part of the critical national infrastructure, central government plays a key role in providing UK resilience. Construction 29 Insurers, Customers & Corporate Governance Major contracts are driven by project management and penalty clauses. Health & safety issues high insurers looking for good management 61 Successful contracts rely upon sub-contractors and suppliers delivering on time and to specification: ensure that BCM arrangements are built into contracts. The overall projects should have associated BCPs that demonstrate to the client that the project timescales will be met. A BCP included in bids provides competitive edge. Education 36 Corporate Governance Funding bodies & auditors looking for evidence of BCM 46 BCM is important to enable the delivery of education to the community. Time and work lost for some students cannot be replaced. BCM protects intellectual capital and funding sources. Ensure key suppliers have BCM arrangements in place. Finance & Insurance 80 Regulators, Auditors & Corporate Governance Highly regulated industry and subject to a variety of audits 29 BCM is well established in major players. It is a key component in achieving compliance. Major finance companies have a key role in driving BCM down the supply chain. BCM is a key element of good corporate governance and social responsibility. Some major players are part of critical national infrastructure and have a key role in providing UK resilience. Health and Social Care 54 Central Government, Legislation & Corporate Governance Health services are a principal focus for government 40 Disruptions in the health service have serious effects on the community. Funding can be reduced if targets are not met because of disruptions. Ensure key suppliers have BCM arrangements in place. Part of the critical national infrastructure and has a key role in providing UK resilience. IT & Telecommunications 48 Insurers, Customers, Corporate Governance IT and Telecommunications provide the underpinning infrastructure for most organisations. Telecommunications are a key element of the critical national infrastructure 31 BCM arrangements are essential to ensure continuity of major systems and networks. BCM now included in new contracts. Essential that BCM is integrated into the supply chain. Some major players are part of the critical national infrastructure, with a key role in providing UK resilience. 15

17 Sector with BCP Principal drivers Comments not asked for BCM info Message Local Government and Emergency Services 64 Central Government, Legislation, Auditors & Corporate Governance These organisations are now subject to legalisation under the Civil Contingencies Act 14 BCM is a key component in achieving compliance with the Civil Contingencies Act. BCM provides protection for critical community services. Local authorities have a key role in driving BCM down the supply chain. As part of critical national infrastructure, local government and emergency services play a key role in providing UK resilience. Manufacturing & Production 45 Insurers, Customers & Corporate Governance Major customers have become aware of their supply chain vulnerabilities insurers are keen to reduce business interruption risks 37 Supply chain vulnerability is a major concern. Organisations are only as good as their weakest supplier. Identification of critical suppliers and the supplier s critical suppliers is essential. Partnership working is valuable to ensure continuity and it is important to build BCM into new contracts. Identify single points of failure in the manufacturing process and eliminate where possible. If unable to do so, ensure continuity arrangements are in place. Inform customers, existing and potential, to improve competitiveness. Inform insurers of supply chain and own BCM arrangements to reduce business interruption risk. Retail/Wholesale 44 Insurers & Customers Retail outlets drive the wholesalers but the outlets themselves have many customers who individually have no voice 50 BCM ensures customer service is improved and maintained during disruptions. Communicate with customers to advise what actions are being taken at the time of a disruption. Need to ensure customers stay loyal - once they try an alternative outlet they may never return. Ensure key suppliers have BCM arrangements in place. Inform insurers of BCM arrangements to reduce business interruption risk. Transport and Logistics 51 Customers, Regulators, Insurers & Corporate Governance Major players in the supply chain logistics 40 Supply chain vulnerability is a major concern and distributors play a key role. Establish partnership working with key customers. Ensure critical suppliers have effective BCM in place. Inform insurers of supply chain and own BCM arrangements to reduce business interruption risk. Public transport is part of the critical national infrastructure and has a key role in providing UK resilience. Utilities electricity, gas, water 76 Regulators, Legislation, Auditors, Customers & Corporate Governance Critical infrastructure regulated companies who have major customers. Subject to a variety of audits 16 Utilities are highly regulated. BCM is well established in major players. BCM is a key component in achieving compliance. Major utilities have a key role in driving BCM down the supply chain. BCM is a key element of good corporate governance and social responsibility. Utilities are part of the critical national infrastructure and have a key role in providing UK resilience. Table 8: Key messages for different sectors 16

19 Copyright Chartered Management Institute First published 2007 Chartered Management Institute 2 Savoy Court, Strand, London WC2R 0EZ All rights reserved. Except for the quotation of short passages for the purposes of criticism and review, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission of the publisher. British Library Cataloguing in Publication Data A CIP catalogue record for this report is available from the British Library ISBN

20 Chartered Management Institute The leading organisation for professional management As the champion of management, the Chartered Management Institute shapes and supports the managers of tomorrow. By sharing the latest insights and setting standards in management development, we help to deliver results in a dynamic world. Encouraging management development, improving business performance The Institute offers a wide range of development programmes, qualifications, information resources, networking events and career guidance services to help managers and organisations meet new challenges in a fast-changing environment. Shaping future management practice With in-depth research and regular policy surveys of its 71,000 individual members and 480 corporate members, the Chartered Management Institute uses its deep understanding of the key issues to improve management performance. For more information please contact the Public Affairs Department on: Tel: Fax: Website: or write to us at the address below. The Civil Contingencies Secretariat The Civil Contingencies Secretariat (CCS) sits within the Cabinet Office at the heart of central government. It works in partnership with government departments, the devolved administrations and with key stakeholders at national, regional and local levels across the public, private and voluntary sectors to enhance the UK s ability to prepare for, respond to and recover from emergencies. You can find out more, and contact us, via our website at Continuity Forum Continuity Forum is a not-for-profit organisation committed to building the resilience of organisations internationally, regardless of size or sector, through education and the promotion of best practice in Business Continuity Management and its related disciplines. The Forum is dedicated to aiding the growth and the development of the Continuity sector and appropriate standards. More information about Continuity Forum can be found at Contact: Russell Price or John Sharp Tel: Chartered Management Institute 2 Savoy Court, Strand, London, WC2R 0EZ Registered charity number Incorporated by Royal Charter ISBN Chartered Management Institute, March 2007 Reach 14329: 03/07

Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

Business Continuity Is your Business Prepared for the worse? Major emergencies can develop suddenly without warning. Situations can threaten and disrupt your business and impact upon you and your staff.

Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain

Business Continuity Policy Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain its essential business functions during

Good Security Good Business Good Security Good Business Attorney-General s foreword Small business plays a crucial role, not only in our nation s economy but in Australian society. We often make decisions

Time for change in facilities management Interserve, Sheffield Hallam and i-fm facilities management research CONTENTS 01 02 03 04 About the facilities deal Outsourcing objectives The role of your brand

Incorporating ASSET & RISK REVIEW Planning for Disaster and the Role of Document Management Catherine Murphy Catherine Murphy is the Marketing Manager for document management and imaging company, Version

WEST YORKSHIRE FIRE & RESCUE SERVICE Business Continuity Management Strategy Date Issued: 12 November 2012 Review Date: 12 November 2015 Version Control Version Number Date Author Comment 0.1 June 2011

MANAGEMENT GUIDE MANAGEMENT for the Hospitality Industry Managing threats and building organisation resilience What is business continuity? According to the Institute, business continuity management is

Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

Business Continuity Management Policy Statement and Strategy November 2011 Title Business Continuity Management Policy & Strategy Date of Publication: Cabinet Council Published by Borough Council of King

Business Continuity Business Continuity Safer Business - Better Health Issue date - December 2007 Introduction Would your business survive if it was affected by a major incident or circumstances beyond

GUIDANCE DOCUMENT FOR COMPLETION OF RESIDENTIAL CARE ESTABLISHMENTS BUSINESS CONTINUITY PLAN TEMPLATE WEST MIDLANDS 1 st EDITION Page 1 of 18 INTRODUCTION This document is to be used in conjunction with

Abuse of Vulnerable Adults in England 2011-12, Final Report, Experimental Statistics Published: 6 March 2013 We are England s national source of health and social care information www.ic.nhs.uk enquiries@ic.nhs.uk

Pandemic Influenza NHS guidance on the current and future preparedness in support of an outbreak October 2013 Gateway reference 00560 Purpose of Guidance To provide an update to EPRR Accountable Emergency

Business Continuity Management Understanding Risk We live in an unpredictable world. No matter how effectively a business protects itself through insurance, there are some risks that cannot be anticipated,

Business Continuity Management Version 1 approved by SMG December 2013 Business Continuity Policy Version 1 1 of 9 Business Continuity Management Summary description: This document provides the rationale

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE Introduction 1. Recently many organisations both public and private have directed much more time, money and effort towards protecting service

HEALTH AND SOCIAL CARE BOARD POLICY ON BUSINESS CONTINUITY MANAGEMENT February 2012 1 Role of the Health and Social Care Board The role of the Health and Social Care Board (the Board) is broadly contained

Annex A Business Continuity Management Programme Business Continuity Management Policy 1. Introduction This Business Continuity Management (BCM) Policy defines the scope of the SPCB s ability to maintain

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

Statement of Guidance Business Continuity Management All Licensees 1. Statement of Objectives 1.1. To enhance the resilience of the financial sector and to minimise the potential impact of a major operational

Emergency Response and Business Continuity Management Policy Owner: John Duffy, Registrar & Secretary Last updated: September 2012 Version: 04 Document control Date Version Author Changes To be populated

Risks and uncertainties Our risk management approach We have a well-established risk management methodology which we use throughout the business to allow us to identify and manage the principal risks that

Expecting the unexpected Business continuity in an uncertain world National Counter Terrorism Security Office (NaCTSO) The National Counter Terrorism Security Office is a police unit working to the Association

23 June 2014 Performance and Resources Board 19 To note Update from the Business Continuity Working Group Issue 1 The Business Continuity Working Group oversees the development, maintenance and improvement

Staying In Business A Business Continuity White Paper by Paul O Brien and Gerard Joyce LinkResQ Limited Contents: Introduction. 2 What is Business Continuity? 2 Loss Events = Opportunities for Disaster..

DEPARTMENT FOR TRANSPORT BUSINESS CONTINUITY MANAGEMENT POLICY Introduction 1. This policy is a key part of the Department for Transport s internal control framework and specifically covers the Department

BT Conferencing Business Continuity Management Planning to stay in business Planning for the unexpected In today s connected world, businesses are increasingly dependent on their communications and networked